Modern telecommunication systems may incorporate Policy and Charging Control (PCC) architectures. A PCC architecture is described in 3GPP TS 23.203 in respect of packet flows (e.g. IP flows) in a data session (e.g., in 3GPP TS 23.203 terminology: an “IP Connectivity Access Network session”, IP-CAN session) established by a user equipment UE through a 3G telecommunications system. The particular architecture comprises: a Policy and Charging Rules Function (PCRF) and a Policy and Charging Enforcement Function (PCEF). The PCRF behaves as a Policy Decision Point (PDP) or Policy Server (PS), and the PCEF behaves as a Policy Enforcing Point (PEP). Whilst the PCRF can be implemented as a standalone node, it is preferably co-located within an Access Gateway (AG) such as a GPRS Gateway Support Node (GGSN) in a General Packet Radio Service (GPRS) core network. Related architectures are provided for 3GPP2 networks and TISPAN Next Generation Networks.
A packet data flow (such as an IP flow) is a set of data packets (e.g. IP packets) passing a routing node in a packet data network during a certain time interval to or from the same endpoints. For example, a packet flow may be an IP flow, where each packet of the flow contains the same values of source IP address, source application layer port (e.g. TCP), destination IP address and destination application layer port. A routing node may an apparatus in a network arranged to forward a received data packet. Examples of routing nodes are an “Access Gateway” or the “classifier/DPI Node” illustrated in FIG. 1. Some routing nodes in a network can perform further functions (such as Quality of Service and charging functions). An example is a Policy and Charging Enforcing Function (PCEF) as defined in 3GPP specification TS 23.203.
When a User Equipment (UE) initiates a data session (e.g. an IP-CAN session), a packet data network address, such as an IP address, is assigned to it by an appropriate AG. The AG provides this IP address, together with, for example, an NAI, IMSI, or MSISDN, to the PS which in turn downloads into the AG a set of policy rules to be applied to the data session. Commonly, the assigned IP address is used to identify data sessions between parties (e.g. between user terminals UEs, and or between a UE and a server, such as an Application Function AF). When the UE communicates with a (final) Application Function (AF), the AF provides session details to the PS. When the UE subsequently requests resources for the service provided by the AF, the PS downloads into the AG a further set of policy rules based on the session details provided by the AF. In a 3GPP network, the AF may be a Proxy Call Session Control Function, P-CSCF, or another kind of application server to which the UE establishes an application communication via bearer(s) set up via IP-CAN session(s) through the AG.
Typically, a policy rule comprises a so-called IP 5-Tuple vector describing a data packet flow within a data session (namely; orig IP-addr/port, dest IP-addr/port, protocol-TCP/UDP). The PCEF inspects packets to detect the relevant tuples and apply the rules. However, this technique allows only a limited (coarse) analysis of packets, as it does not allow packet inspection beyond these five IP headers, e.g. it does not allow inspection of payload data.
So-called “Deep Packet Inspection” (DPI) is a mechanism that can be deployed at an intermediate node within an IP network in order to inspect fields within packets of an IP flow at a level beneath the layer 3 IP addresses and port numbers. DPI may be advantageously deployed within a PCC architecture of a 3GPP network or other telecommunications network in order to classify packet flows at a level deeper than that allowed by inspection of only the 5-Tuple layer 3 vector. FIG. 1 illustrates schematically an exemplary PCC architecture in which a further DPI node is deployed (e.g. a node performing packet inspection for classifying packets), for the exemplary case where an IP flow travels in one direction from a user equipment UE1 to user equipment UE2. FIG. 1 illustrates schematically an exemplary PCC architecture wherein a further packet classifier/DPI node is deployed, which performs deep packet inspection for classifying packets. Other approaches, e.g. shallow packet inspection, may alternatively be employed
In DPI terminology, a “class” is defined by certain IP flow characteristics. IP flows fall into one or more classes. A “classifier” is an algorithm that predicts a class or classes to which an IP flow belongs. A “class model” of a classifier is the set of IP flows that a classifier will predict as belonging to that class.
A DPI mechanism may allow labels to be applied to packets of a packet flow in order to identify, for example, a class to which the packet flow belongs. Labels can then be used at routing nodes to, for example, check suspicious traffic, limit the bandwidth of certain applications, cut-off a flow, apply certain Quality of Service and/or charging policies, mine data, etc.
DPI solutions may utilise header matching for IP, or protocols over IP such transport layer protocols (TCP, UDP) or application layer protocols (HTTP protocol, SIP protocol, some peer-to-peer protocols, etc). Some may further or alternatively use patterns on statistical properties of the data flow, such as mean or variance of upstream/downstream packets, or jitter in packet sending. Other DPI solutions calculate simple correlation measurements between these quantities. A few have even started to use data mining techniques to classify or cluster IP flows, sometimes using semi-supervised techniques to classify many similar unlabelled examples with just a few pre-labelled examples. Statistical properties, being numerical quantities, are amenable to data mining treatment.
Given the huge and increasing number of services available today over IP networks, and the diverse characteristics that these services can have with regard to DPI characteristics, it is likely that certain IP flows will not easily classified by existing DPI solutions which are generally passive in nature.
Patent publication EP 1764951A1 describes a DPI solution for real-time packet classification, wherein the packet flow classifiers are updated “off-line” dynamically. The solution is based on passive rules governing the packet classifiers, in the sense that only the content of the sampled packets is used for classification.